Justin Ling, the Star:

Yet Bill C-22 doesn’t mandate backdoors nor force companies to introduce any. It explicitly states the government cannot compel companies to introduce “systemic vulnerability” into their services. And it doesn’t give cops or spies new authority to intercept Canadians’ communications; it simply creates a process enlisting companies to help out with doing so.

Ottawa is now scrambling to correct the record. Anandasangaree will reply to the Republicans, conveying “this legislation does not provide for indiscriminate access to devices or communications and does not require companies to weaken encryption and introduce so-called ‘backdoors,’” according to a spokesperson. (The U.S. and the U.K., they also noted, already have these powers; Signal hasn’t withdrawn from either country.)

So the bill is not quite the nightmare some have made it out to be. But there are still some big issues.

Whether Signal is crying wolf or simply believes the laws in those countries are strong enough to prevent mandated backdoors is a good question. In the U.K., for instance, Ofcom is not allowed to require a backdoor, but it is empowered to tell providers to weaken encryption for some without compromising the privacy of their platforms for all when “feasible technology” exists to do so. On the one hand, that technology probably cannot exist; on the other hand, Signal is banking on a privacy-friendly interpretation of that law if it is ever tested.

Apple, meanwhile, has not returned Advanced Data Protection to the U.K. despite the U.S. Director of National Intelligence’s claim that efforts to compromise its encryption have been withdrawn. This demand was made under a different law that, I suppose, Signal must not feel is immediately threatening.

Bill C–22 does, as Ling writes, provide an exemption for instances where compliance with interception demands would “require the provider to introduce a systemic vulnerability related to that service or prevent the provider from rectifying such a vulnerability”. This is the same language as appeared in the Strong Borders Act proposed last year, though C–22 has new powers requiring the retention of metadata. It seems to me that a systemic vulnerability — one that “creates a substantial risk that secure information could be accessed by a person who does not have any right or authority to do so”, according to this bill — might not be found in something like metadata retention, which is what apparently concerns Signal.

⌥ Permalink

Marie Woolf, the Globe and Mail:

Secure messaging service Signal, which uses end-to-end encryption, is warning it would withdraw from Canada if asked to compromise its users’ privacy under Bill C-22, Ottawa’s proposed lawful access legislation.

[…]

The bill would require “core providers” — which would later be defined through regulations — to retain metadata for up to a year.

Are lawmakers capable of learning from their peers elsewhere? Do we have to do this kind of thing every year, country-by-country?

⌥ Permalink

Meredith Whittaker, president of Signal — which has recently been in the news — in an op-ed for the Financial Times:

The UK is part and parcel of a dangerous trend that threatens the cyber security of our global infrastructures. Legislators in Sweden recently proposed a law that would force communication providers to build back door vulnerabilities. France is poised to make the same mistake when it votes on the inclusion of “ghost participants” in secure conversations via back doors. “Chat control” legislation haunts Brussels.

There is some good news: French legislators ultimately rejected this provision.

⌥ Permalink

Automattic CEO and WordPress co-developer Matt Mullenweg published a post on September 21 calling WP Engine a “cancer to WordPress”. For the uninitiated: WP Engine is an independent company that provides managed hosting for WordPress sites; WordPress.com is owned by Automattic and it leads the development of WordPress.org. WP Engine’s hosting plans start at $30 a month and it enjoys a good public reputation. Mullenweg’s post however zeroed in on WP Engine’s decision to not record the revisions you’ve made to your posts in your site’s database. This is a basic feature in the WordPress content management system, and based on its absence Mullenweg says:

What WP Engine gives you is not WordPress, it’s something that they’ve chopped up, hacked, butchered to look like WordPress, but actually they’re giving you a cheap knock-off and charging you more for it.

The first thing that struck me about this post was its unusual vehemence, which Mullenweg has typically reserved in the past for more ‘extractive’ platforms like Wix whose actions have also been more readily disagreeable. WP Engine has disabled revisions but as Mullenweg himself pointed out it doesn’t hide this fact. It’s available to view on the ‘Platform Settings’ support page. Equally, WP Engine also offers daily backups; you can readily restore one of them and go back to a previous ‘state’.

Second, Mullenweg accuses WP Engine of “butchering” WordPress but this is stretching it. I understand where he’s coming from, of course: WP Engine is advertising WordPress hosting but it doesn’t come with one of the CMS’s basic features, and which WP Engine doesn’t hide but doesn’t really advertise either. This isn't just really far removed from “butchering” (much less in public), it's also dishonest: WP Engine didn't modify WordPress's core, it simply turned off a setting that was available to turn off.

WP Engine’s stated reason is that post revisions increase database costs that the company would like to keep down. Mullenweg interprets this to mean WP Engine wants “to avoid paying to store that data”. Well, yeah, and that’s okay, right? I can’t claim to be aware of all the trade-offs that determined WP Engine’s price points but turning off a feature to keep costs down and reactivating it upon request for individual users seems fair.

In fact, what really gets my goat is Mullenweg’s language, especially around how much WP Engine charges. He writes:

They are strip-mining the WordPress ecosystem, giving our users a crappier experience so they can make more money.

WordPress.com offers a very similar deal to its customers. (WordPress.com is Automattic’s platform for users where they can pay the company to host WordPress sites for them.) In the US, you’ll need to pay at least $25 a month (billed yearly) to be able to upload custom themes and plugins to your site. All the plans below that rate don’t have this option. You also need this plan to access and jump back to different points of your site’s revision history.

Does this mean WordPress.com is “strip-mining” its users to avoid paying for the infrastructure required for those features? Or is it offering fewer features at lower price points because that’s how it can make its business work? I used to be happy that WordPress.com offers a $48 a year plan with fewer features because I didn’t need them — just as well as WP Engine seems to have determined it can charge its customers less by disabling revision history by default.

(I’m not so happy now because WordPress.com moved detailed site analytics — anything more than hits to posts — from the free plan to the Premium plan, which costs $96 a year.)

It also comes across as disingenuous for Mullenweg to say the “cancer” a la WP Engine will spread if left unchecked. He himself writes no WordPress host listed on WordPress.org’s recommended hosts page has disabled revisions history — but is he aware of the public reputation of these hosts, their predatory pricing habits, and their lousy customer service? Please take a look at Kevin Ohashi’s Review Signal website or r/webhosting. Cheap WordPress in return for a crappy hosting experience is the cancer that’s already spread because WordPress didn’t address it.

(It’s the reason I switched to composing my posts offline on MarsEdit, banking on its backup features, and giving up on my expectations of hosts including WordPress.com.)

It’s unfair to accuse companies of “strip-mining” WordPress so hosting providers can avail users a spam-free, crap-free hosting experience that’s also affordable. In fact, given how flimsy many of Mullenweg’s arguments seem to be, they’re probably directed at some other deeper issue — perhaps what he perceives to be WP Engine not contributing enough back to the open source ecosystem?